| View previous topic :: View next topic |
| Author |
Message |
John B.
1st Responder
Joined: Dec 03, 2006
Posts: 843
Location: Netherlands
|
 Posted: Sun Feb 17, 2008 12:31 pm Post subject: Infected Notepad files |
|
|
Hi,
All my speeches to OPs, and the notes I make, I save in Notepad files. Like one month ago I did a Kaspersky scan on my desktop and it showed two infected Notepad files. I removed them. Last week I did a scan on this laptop where I regularly copy the documents of my desktop to, and it showed those infected Notepad files.
I am interested what could be infected in a Notepad file with plain text. It may also be good to send samples to AV companies so I thought it'd be good to send you the files.
Virustotal results (one of the two files, but they have the same infection):
AhnLab-V3 - - -
AntiVir - - HTML/Exploit.Mhtml
Authentium - - -
Avast - - -
AVG - - -
BitDefender - - -
CAT-QuickHeal - - -
ClamAV - - -
DrWeb - - -
eSafe - - -
eTrust-Vet - - -
Ewido - - -
FileAdvisor - - -
Fortinet - - -
F-Prot - - -
F-Secure - - HTML/Exploit!Mht.A
Ikarus - - -
Kaspersky - - Exploit.HTML.Mht
McAfee - - Exploit-MhtRedir.gen
Microsoft - - -
NOD32v2 - - -
Norman - - HTML/Exploit!Mht.A
Panda - - -
Prevx1 - - -
Rising - - -
Sophos - - -
Sunbelt - - -
Symantec - - Bloodhound.Exploit.6
TheHacker - - -
VBA32 - - -
VirusBuster - - VBS.Casino.A
Webwasher-Gateway - - Script.Exploit.Mhtml
Additional information
MD5: 02275b42876da49b85c61f3b6fdc6ecc
SHA1: 79fa7cdc5c2b0f2bb1f27afaab9f591f009e93c6
SHA256: 8ed18e062e95261cff32f9193de19b8401fd4c2bd57195f1896dafbded3ae7fc
SHA512: 90085e4f07dc6896f60cb63e7aa27615bd430e9f6ce67249679bc49a1a08ed0b bb5ced64ef151ba15d7c30ae1fa5ac927bc0b9137f29a042c4eb578af74bd9c0
Files are attached in archive with password.
Greets, John.
_________________
Trained by MalWare Removal
Proud member of ASAP - Alliance of Security Analysis Professionals
Proud member of UNITE - Unified Network of Instructors and Trusted Eliminators
|
|
| Back to top |
|
 |
tetak
MIRT Team Lead
Premium Member
Joined: Jan 19, 2007
Posts: 5879
|
| Posted: Sun Feb 17, 2008 3:12 pm Post subject: |
|
|
In both files it's line O16 which is causing the problem. If you copy just that line into a .txt file and scan it you'll probably get the same results.
Years ago I remember a bad exploit that starts off looking similar to that line.
_________________
Got Windows XP? Help protect your PC from malware with Microsofts anti-spyware program Windows Defender.
Download it for free from http://www.microsoft.com/athome/security/spyware/software/default.mspx
|
|
| Back to top |
|
|
John B.
1st Responder
Joined: Dec 03, 2006
Posts: 843
Location: Netherlands
|
| Posted: Sun Feb 17, 2008 3:29 pm Post subject: |
|
|
But opening the Notepad file will not 'run' the malware? How can it be that only this line is recognized and the hundreds of other lines in other Notepad files not?
_________________
Trained by MalWare Removal
Proud member of ASAP - Alliance of Security Analysis Professionals
Proud member of UNITE - Unified Network of Instructors and Trusted Eliminators
|
|
| Back to top |
|
|
tetak
MIRT Team Lead
Premium Member
Joined: Jan 19, 2007
Posts: 5879
|
| Posted: Sun Feb 17, 2008 9:57 pm Post subject: |
|
|
No it won't run it. That line is recognised because I think it can be put into web pages to run the exploit.
_________________
Got Windows XP? Help protect your PC from malware with Microsofts anti-spyware program Windows Defender.
Download it for free from http://www.microsoft.com/athome/security/spyware/software/default.mspx
|
|
| Back to top |
|
|
John B.
1st Responder
Joined: Dec 03, 2006
Posts: 843
Location: Netherlands
|
| Posted: Mon Feb 18, 2008 6:57 am Post subject: |
|
|
Thanks tetak 
_________________
Trained by MalWare Removal
Proud member of ASAP - Alliance of Security Analysis Professionals
Proud member of UNITE - Unified Network of Instructors and Trusted Eliminators
|
|
| Back to top |
|
|
|
|
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
